b'         Office of Inspector General\n\n\n\n\nSeptember 15, 2005\n\nSTEVEN W. MONTEITH\nEXECUTIVE DIRECTOR, HUMAN CAPITAL ENTERPRISE\n\nSUBJECT:      Audit Report \xe2\x80\x93 Human Capital Enterprise SAP Human Resources Project\n              (Report Number IS-AR-05-015)\n\nThis report presents the interim results of our audit of the Human Capital Enterprise\nSAP Human Resources Project (Project Number 05BG006IS001). Postal Service\nmanagement requested that the Office of Inspector General (OIG) review the system\ncontrols over roles and separation of duties in the SAP Human Resources system. We\nplan to perform additional work in this area and issue a final report in the near future.\n\nThe Postal Service has not finalized a strategy to establish a core security group for\nadministering the SAP Human Resources security functions, although management has\nnearly completed the initial phase of project implementation. Also, the Postal Service\nneeds to implement a change management system to document and manage\nconfiguration changes. Establishing a security function early in the project\nimplementation phase will reduce dependence on contractors for security functions and\nfacilitate knowledge transfer to Postal Service personnel. Additionally, a suitable\nchange management system will provide the Postal Service with audit trails of all\nauthorized changes to roles and avoid incorrect role assignments.\n\nWe made two recommendations pertaining to establishing a core security group to\nadminister SAP security functions. Management has taken action or planned initiatives\nto address the core functions of the security group. Management also agreed with the\nintent of recommendation three to implement a formal change management system to\ndocument authorized role changes. Management plans to implement an audit trail of\nthese changes after completing its current testing, and stated it is in the process of\ndocumenting each role. Management plans to use standard SAP tools and reports to\ntrack role assignments and changes and eAccess to track SAP authorization requests.\nHowever, we believe the eAccess system may not be able to comprehensively track all\nthe data needed for SAP authorization requests. Management plans to implement\nthese initiatives no later than January 2006. Management\xe2\x80\x99s comments and our\nevaluation of these comments are included in the report.\n\x0cWe appreciate the cooperation and courtesies provided by your staff during the audit. If\nyou have any questions or need additional information, please contact Gary Rippie,\nDirector, Information Systems, or me at (703) 248-2300.\n\nE-Signed by Office of Inspector General\n  VERIFY authenticity with ApproveIt\n\n\n\nJohn M. Seeba\nDeputy Assistant Inspector General\n for Financial Operations\n\ncc: Anthony J. Vegliante\n    Robert L. Otto\n    George Wright\n    Peter Myo Khin\n    Steven R. Phelps\n\x0cHuman Capital Enterprise                                                      IS-AR-05-015\n SAP Human Resources Project\n\n\n                                   INTRODUCTION\nBackground                 There are more than 70 systems supporting the Postal\n                           Service\xe2\x80\x99s human resources and payroll functions. The\n                           nonintegrated environment creates inefficient and redundant\n                           work for a large network of Postal Service employees in\n                           area and performance cluster offices.\n\n                           The Board of Governors approved a Decision Analysis\n                           Report that provides $103.4 million in funding for\n                           implementation of a human resources shared services\n                           project to replace this legacy environment. An Enterprise\n                           Resources Planning (ERP) system for the human resources\n                           functionalities of the Postal Service is the main component\n                           of this shared services project.\n\n                           The Human Capital Enterprise office has the overall\n                           responsibility for implementing the shared services project.\n                           The Postal Service established the office as a way to move\n                           toward a performance-based culture, which they plan to do\n                           by redesigning and streamlining processes and\n                           implementing world-class human resources solutions. This\n                           effort\xe2\x80\x93called the PostalPeople initiative\xe2\x80\x93consists of the\n                           shared services project and the human resources ERP\n                           system. The manager, Human Capital Enterprise Programs,\n                           has day-to-day responsibility for managing the PostalPeople\n                           initiative.\n\n                           The Postal Service issued a contract for $29 million to SAP\n                           Public Services, Incorporated, in July 2004 to acquire\n                           software services for ERP implementation. As of\n                           March 2005, the total commitment for the shared services\n                           project was $70 million. Management expects the project to\n                           be completed at the estimated cost of $103.4 million.\n\n                           The Postal Service is implementing the ERP system using\n                           SAP R/3, a commercial ERP solution. This solution will\n                           incorporate human resources functionality for all Postal\n                           Service employees into a single integrated system. When\n                           management fully implements the system, it will incorporate\n                           the following modules:\n\n\n\n\n                                            1\n\x0cHuman Capital Enterprise                                                                                     IS-AR-05-015\n SAP Human Resources Project\n\n\n\n                                    \xe2\x80\xa2   Organization                       \xe2\x80\xa2    Recruitment\n                                        management\n                                    \xe2\x80\xa2   Personnel                          \xe2\x80\xa2    Environmental health and\n                                        administration                          safety\n                                    \xe2\x80\xa2   Benefits management                \xe2\x80\xa2    Training events management\n                                    \xe2\x80\xa2   Personnel                          \xe2\x80\xa2    Compensation management\n                                        development\n                                    \xe2\x80\xa2   Bid management                     \xe2\x80\xa2    Time and leave management\n\n                                    This implementation will also include the\n                                    employee self-service and manager self-service\n                                    components that let employees and managers access the\n                                    system through Web portals.\n\n                                    The initial timeline for the current phase was to complete\n                                    implementation in the following three performance clusters\n                                    by August 2005: the Triboro performance cluster in the\n                                    New York Metro Area, the Santa Ana performance cluster in\n                                    the Pacific Area, and the Northland performance cluster in\n                                    the Western Area. However, delay in integration testing\n                                    forced the Postal Service to postpone implementation until\n                                    October 2005. This postponement could extend to\n                                    January 2006 for the Santa Ana and Northland performance\n                                    clusters.1\n\n                                    Reconciliation issues within associate offices in the\n                                    Santa Ana and Northland performance clusters contributed\n                                    to the delay in integration testing. Postal Service executives\n                                    said they have developed a standardized approach to\n                                    address these issues in performance clusters targeted for\n                                    future implementation. Delays in the bid management\n                                    module and payroll interface readiness also contributed to\n                                    the delay in integration testing.\n\n                                    Management has configured 88 roles2 for implementing the\n                                    first phase. Management will load and test organizational\n                                    data for the Triboro cluster before assigning these roles to\n                                    the appropriate positions. Additionally, they will perform\n                                    customer acceptance testing before the Triboro performance\n                                    cluster goes online.\n\n1\n  Prior to issuing this final report, we learned the Postal Service plans to delay the Triboro cluster implementation until\nJanuary 2006 and implement the Santa Ana and Northland clusters in April 2006.\n2\n  A role is a collection of privileges that management can assign to a user or to a different role. These privileges\nprovide the ability to perform operations and impose restrictions on operations the holder of the role can perform.\n\n\n\n                                                             2\n\x0cHuman Capital Enterprise                                                        IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\nObjective, Scope,          The objective of this audit was to determine whether there\nand Methodology            are adequate system controls over roles and separation of\n                           duties within the SAP Human Resources system. We\n                           conducted our work at Postal Service Headquarters in\n                           Washington, D.C., and the SAP development office in\n                           Arlington, Virginia.\n\n                           To identify system controls over the roles and authorizations\n                           within the SAP system, we analyzed SAP quality assurance\n                           system reports. Our review was limited to determining the\n                           adequacy of authorizations in 62 roles identified as of\n                           May 23, 2005. During our review, management made a net\n                           increase of 26 roles, and we will perform additional work to\n                           evaluate these new roles. We will also perform additional\n                           work to review the configuration of organizational positions,\n                           which were not ready for this review.\n\n                           To determine the progress made in establishing a security\n                           group, we interviewed the executive director, Human Capital\n                           Enterprise; manager, Human Resources Payroll; and the\n                           senior SAP consultant. We also reviewed system\n                           requirement specifications and SAP best practices.\n\n                           To determine the adequacy of a change management\n                           system, we interviewed the executive sponsors and the SAP\n                           consultant and compared procedures to industry best\n                           practices.\n\n                           This audit was conducted from March through\n                           September 2005, in accordance with generally accepted\n                           government auditing standards and included such tests of\n                           internal controls as were considered necessary under the\n                           circumstances. We used manual and automated techniques\n                           to analyze the computer-processed data. Based on these\n                           tests and assessments, we concluded the data were\n                           sufficiently reliable for meeting the objective of our review.\n                           We discussed our observations and conclusions with\n                           management officials and included their comments where\n                           appropriate.\n\n\n\n\n                                             3\n\x0cHuman Capital Enterprise                                                         IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\nPrior Audit Coverage       We did not identify any prior audits or reviews related to the\n                           objective of this audit. This is the initial SAP implementation\n                           within the Postal Service.\n\n\n\n\n                                             4\n\x0cHuman Capital Enterprise                                                         IS-AR-05-015\n SAP Human Resources Project\n\n\n                                   AUDIT RESULTS\n                           Our preliminary review of the system controls over roles and\n                           separation of duties within the SAP Human Resources\n                           system indicates the Postal Service is making progress in\n                           refining the roles to be implemented in the initial phase of\n                           the project. However, the Postal Service has not appointed\n                           a core security group or implemented a change\n                           management system. Security and controls over the ERP\n                           system can be enhanced by appointing a core security\n                           group early in the project and implementing a formal change\n                           management system.\n\nCore Security Group        Human Capital Enterprise personnel have not finalized a\n                           strategy to establish a security group to administer the SAP\n                           Human Resources security functions. Management has not\n                           defined functional specifications or organizational structure\n                           for a security function for the human resources ERP system.\n                           SAP best practices recommend management establish a\n                           security function with separate duties for user maintenance,\n                           authorization maintenance, and authorization assignment at\n                           the inception of the project. Timely establishment of a\n                           security group would reduce Postal Service dependence on\n                           the contractor to establish and implement the initial SAP\n                           controls and security configurations and would facilitate the\n                           knowledge transfer to Postal Service personnel needed to\n                           provide effective oversight of the system implementations.\n\n                           With a centralized structure and administration in an ERP\n                           system, it is critical for management to establish a security\n                           group to oversee ERP administration to ensure that security\n                           controls remain effective. The security function for the SAP\n                           system should ensure proper segregation of duties in\n                           creating roles, assigning roles, role maintenance, and\n                           locking and unlocking users. Considering the size and\n                           structure of the Postal Service\xe2\x80\x99s ERP system, a dedicated\n                           security function with adequate staffing and a proper\n                           reporting structure is necessary in order to obtain the\n                           desired benefits.\n\n                           Without definitive guidance from Postal Service\n                           management, the SAP contractor has implemented a\n                           security architecture that is organized into three functional\n                           areas:\n\n\n\n\n                                             5\n\x0cHuman Capital Enterprise                                                           IS-AR-05-015\n SAP Human Resources Project\n\n\n                           \xe2\x80\xa2       A user maintenance function responsible for locking\n                                   and unlocking users, changing passwords, and\n                                   changing attributes. This position cannot create or\n                                   assign roles or profiles.\n\n                               \xe2\x80\xa2   An authorization maintenance function responsible for\n                                   creating roles and profiles. This function cannot create\n                                   organizational positions or security-related roles or\n                                   assign any roles.\n\n                               \xe2\x80\xa2   An authorization assignment function responsible for\n                                   assigning roles. This function cannot create roles or\n                                   profiles or assign security-related roles.\n\n                               The SAP contractor made these preliminary decisions\n                               because management did not designate any Postal Service\n                               personnel for SAP security functions. Postal Service\n                               management still needs to evaluate and approve these\n                               decisions.\n\n                               Certain functional responsibilities, such as role\n                               maintenance, are operational functions. Best practices\n                               suggest separating security oversight from operational\n                               functions. The security function will require a proper\n                               reporting structure to ensure sufficient independence for\n                               oversight and, at the same time, provide the required\n                               operational support.\n\n                               During the requirements analysis stage of the project, the\n                               SAP consultants recommended the establishment of a\n                               security team that meets the above control requirements.\n                               However, because of competing priorities and project\n                               management challenges, management has not\n                               implemented this recommendation. Establishing a security\n                               function early in the project implementation phase will\n                               enable the Postal Service to reduce dependence on\n                               consultants, transition smoothly from the contractor, and\n                               facilitate knowledge transfer.\n\n\n\n\n                                                6\n\x0cHuman Capital Enterprise                                                         IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\nRecommendation             We recommend the executive director, Human Capital\n                           Enterprise:\n\n                           1. Develop a strategy and milestones to establish a\n                              security group for administering the SAP Human\n                              Resources security functions.\n\nManagement\xe2\x80\x99s               Management agreed with our recommendation and is\nComments                   forming a security group to administer the SAP Human\n                           Resources security functions. To ensure separation of\n                           duties between the security functions, the Postal Service\n                           plans to establish two teams for the security group.\n                           Management stated it would initially staff the security group\n                           with two full-time personnel by December 10, 2005, and add\n                           more full-time or part-time staff as appropriate after the\n                           Postal Service implements the three initial sites. The initial\n                           staff will attend necessary SAP classes and will receive\n                           training from SAP necessary to ensure knowledge transfer.\n                           Management\xe2\x80\x99s comments, in their entirety, are included in\n                           the appendix of this report.\n\nRecommendation             We recommend the executive director, Human Capital\n                           Enterprise, direct the manager, Human Capital Enterprise\n                           Programs, to:\n\n                           2. Verify that role authorizations conform to this strategy.\n\nManagement\xe2\x80\x99s               Management agreed with our recommendation and stated\nComments                   they have created and reviewed three separate\n                           authorization roles to enforce the separation of duties. The\n                           manager, Human Capital Enterprise Programs, will\n                           complete this activity by December 10, 2005.\n\nEvaluation of              Management\xe2\x80\x99s comments are responsive to\nManagement\xe2\x80\x99s               recommendations 1 and 2, and their actions taken or\nComments                   planned should correct the issues identified in the finding.\n\nChange Management          The Postal Service needs a formal change management\n                           system for the ERP system to document baseline role\n                           authorizations and subsequent changes. Management has\n                           not chosen a final change management solution to\n\n\n\n\n                                             7\n\x0cHuman Capital Enterprise                                                                              IS-AR-05-015\n SAP Human Resources Project\n\n\n                                     document and manage authorization changes.\n                                     Handbook AS-8053 requires that management establish\n                                     baseline configurations of Postal Service information\n                                     resources and make changes prior to deployment to ensure\n                                     employees do not inadvertently expose information\n                                     resources to unnecessary risks and vulnerabilities. A formal\n                                     change management system is required to maintain an audit\n                                     trail of all authorized role changes and prevent incorrect role\n                                     configurations and incompatible role assignments.\n\n                                     The Postal Service also needs to develop comprehensive\n                                     baseline documentation of the roles configured on the SAP\n                                     system. Without clear documentation, support personnel\n                                     will have difficulty understanding the design objectives and\n                                     functionalities of SAP objects such as roles and\n                                     authorizations. This may lead to incompatible role\n                                     assignments, incorrect changes, and difficulty in system\n                                     maintenance. Detailed baseline documentation of the roles\n                                     will serve as a foundation for future change management\n                                     and facilitate employee transition.\n\n                                     Management is considering two potential change\n                                     management solutions: (1) the eAccess system and\n                                     (2) SAP Solutions Manager. The eAccess system, which\n                                     manages user accounts and logon procedures, may not be\n                                     adequate to serve as a change management system. The\n                                     Postal Service could use the eAccess system to manage the\n                                     assignment of roles, but the system is not capable of\n                                     managing changes made to roles. An appropriate change\n                                     management solution for the SAP ERP system should both\n                                     incorporate baseline documentation maintenance and\n                                     provide change management functionalities for roles,\n                                     positions, organizational units, sensitive and restricted\n                                     transaction codes, and other critical SAP objects.\n\nRecommendation                       We recommend the executive director, Human Capital\n                                     Enterprise, direct the manager, Human Capital Enterprise\n                                     Programs to:\n\n                                     3.    Implement a formal change management system to\n                                           document baseline role authorizations and subsequent\n                                           changes.\n\n\n3\n    Information Security, March 2002 (updated with Postal Bulletin revisions through May 26, 2005).\n\n\n\n                                                            8\n\x0cHuman Capital Enterprise                                                      IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\nManagement\xe2\x80\x99s               Management agreed the Postal Service should implement\nComments                   an audit trail of authorized role changes. Management\n                           stated it is impractical and unfeasible to capture all role,\n                           configuration, and programming changes that result from\n                           daily integration and customer acceptance testing.\n                           Therefore, management stated the Postal Service will\n                           implement the audit trail after completing current testing.\n                           Management also stated the Postal Service is writing\n                           detailed documentation of each role. Management\xe2\x80\x99s plans\n                           include using existing SAP software that provides standard\n                           tools and reports to track role changes, role assignments,\n                           and changes to role assignments, which staff would run\n                           daily after completing current testing. In addition,\n                           management\xe2\x80\x99s plans include using eAccess as a tracking\n                           tool for SAP authorization requests after implementing SAP.\n                           The manager, Human Capital Enterprise Programs, will\n                           implement these initiatives by January 2006.\n\nEvaluation of              Management agreed with the intent of our recommendation,\nManagement\xe2\x80\x99s               and their action to document each role is responsive to our\nComments                   recommendation. In addition, management\xe2\x80\x99s plans to\n                           implement an audit trail of authorized role assignments and\n                           changes using standard SAP tools and reports are\n                           responsive to the recommendation, and the actions taken or\n                           planned should correct the issues identified in the finding.\n\n                           However, we have reservations about management\xe2\x80\x99s plans\n                           to use eAccess as a tracking tool for SAP authorization\n                           requests. Management may be able to use eAccess to\n                           manage the assignment of roles; however, eAccess may not\n                           be able to manage the authorization of changes for roles,\n                           positions, organizational units, sensitive and restricted\n                           transaction codes, and other critical SAP objects. Because\n                           we have concerns with management\xe2\x80\x99s plans to rely on\n                           eAccess to track authorization requests, we may review the\n                           process for managing SAP authorizations in a follow-up\n                           audit.\n\nOther Matters              The potential for delay, leading to cost escalation, exists\n                           throughout the project implementation period. Management\n                           was scheduled to complete the SAP implementation in\n                           phases, with the initial phase targeted for completion in\n                           August 2005. However, the Postal Service has encountered\n\n\n                                            9\n\x0cHuman Capital Enterprise                                                        IS-AR-05-015\n SAP Human Resources Project\n\n\n                           data conversion and integration testing issues that have\n                           forced postponement in project implementation schedules.\n                           These issues could potentially be found in other\n                           performance clusters, resulting in overall project delay and\n                           additional costs. Management, based on lessons learned,\n                           developed a standardized approach to deal with\n                           reconciliation issues caused by associate offices.\n\n                           Though we do not provide recommendations to address\n                           project management issues, management should be aware\n                           of the potential for project management risks, which can\n                           result in increased project costs and the system not being\n                           ready on time. There is also the potential risk that tasks\n                           such as integration testing and customer acceptance testing\n                           may be condensed or conducted concurrently to make up\n                           lost time, thereby impacting the overall reliability of the\n                           production system.\n\n\n\n\n                                            10\n\x0cHuman Capital Enterprise                        IS-AR-05-015\n SAP Human Resources Project\n\n\n              APPENDIX. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                               11\n\x0cHuman Capital Enterprise            IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\n                               12\n\x0cHuman Capital Enterprise            IS-AR-05-015\n SAP Human Resources Project\n\n\n\n\n                               13\n\x0c'